Ransomware: Large players like LockBit and ALPHV/BlackCat are seemingly passé, but new, not yet established groups are moving into the emerging gaps. Ransomware-as-a-Service (RaaS) groups are also revising their internal division of labor and organization. Even states like Russia and North Korea are discovering ransomware as a source of revenue.
As a cybercriminal industry, ransomware is subject to constant change. This makes the threat landscape confusing and dangerous. Not only does the top ten extortionist hackers change almost monthly, but individuals or small teams are increasingly playing a growing role. Furthermore, new groups seeking to establish a position in the criminal market often lower the barriers to entry for members and supporters, according to Martin Zugec, Technical Solutions Director at Bitdefender.
Structural change in the criminal economy
🔎 This is what the profit distribution in the RaaS economy looks like (Image: Bitdefender).
Criminal groups operate like highly organized software companies and service providers. A few key roles are crucial for efficient operations:
- As de facto business managers, operators are responsible for managing development, finding budgets, criminal administration work, and innovation management.
- Developers develop and maintain the malware. They set up the technical infrastructure to exploit vulnerabilities, compromise organizations, and spread ransomware.
- Initial Access Brokers find vulnerabilities in the corporate network and establish the most persistent access possible for the attack.
- Affiliates are professional hackers who work as independent contractors. They carry out the attack, implement the ransomware within the companies, and ensure its effective use.
However, the structures are open. In addition to the inner circle, the RaaS ecosystem includes other experts, such as data analysis and communications specialists. Negotiators attempt to maximize ransom after the attack.
Changing role models
RaaS groups are currently becoming more efficient and streamlined. Initial access brokers and developers are playing an increasingly large role and gaining influence over how attacks operate. Initial access brokers typically no longer wait for a contract or work agreement. They proactively gain access to multiple victim organizations, building a small portfolio of already compromised systems that they offer to other criminals. Developers, in turn, can lead smaller groups and hire other developers to program peripheral tools and infrastructure as tools for attacks: These include tools that bypass Endpoint Detection and Response (EDR), backdoors, or infrastructure that doesn't appear to enable black hat hacking.
Six new trends in APT groups
🔎 Detection & Response: Data exfiltration with PowerShell is detected here (Image: Bitdefender).
Increased competition and increasing flexibility are making it increasingly difficult to assess the threat situation. Furthermore, ransomware groups are changing their tactics and strategies. They often operate independently and prefer to target entire networks rather than individual endpoints. Specifically, six new trends can be observed:
- Fragmentation and partner changes: Readily available playbooks and open codebases from well-known groups like LockBit and Babuk allow successor actors to quickly launch their own RaaS activities. Many groups don't commit to a single partner and can work with multiple partners simultaneously. This allows them to strategically select the most effective ransomware variant for each attack. This is determined by various criteria, such as the endpoint security implemented on the target system.
- Data theft as the primary goal: Hackers are looking for loopholes to not only encrypt data but also monetize it. The potential for this is increasing: In 2024, the number of vulnerabilities increased significantly, from 18.349 in 2020 to 40.011. according to NIST NVDKnown vulnerabilities are currently the focus of many RaaS groups, leading to an increase in the frequency of opportunistic ransomware attacks on edge devices. Data exfiltration is often a primary target. Companies should rethink this approach and not only protect themselves against data encryption, but also prevent the sharing of information.
- State-sponsored attacks: Ransomware operations are now often commissioned by states and carried out as advanced persistent threats (APTs). Firstly, ransoms generate significant revenue and finance state-sponsored initiatives such as Russia's military operations or North Korea's weapons programs. Secondly, ransomware attacks can cause significant economic damage and social unrest in the target countries. In reality, the lines between cybercrime and state-sponsored espionage are increasingly blurred, making the attribution of attacks more difficult. As a result, the risk of consequences for state actors is reduced.
- Hardly any industry remains taboo: To attract partners, many RaaS groups are removing previous restrictions on the selection of their victims from victim industries and attacking sectors that were previously considered taboo. Instead of targeting companies or industries, they are increasingly seeking opportunistic targets based on the tools they use and known vulnerabilities. One logical consequence is the increase in attacks on the healthcare sector, for example. the report of the European Cybersecurity Agency ENISA According to the report, the number of annual ransomware incidents has been steadily increasing since 2021.
- Hacktivism disguised as ransomware: Politically motivated attacks have been on the decline in recent years. However, there are now signs of their renaissance. Hacktivist groups are increasingly using cybercrime tools and techniques to finance their activities and achieve their political or social goals. This trend is evident in Rise of groups like CiberInteligenciaSV, which are increasingly targeting critical infrastructures.
The ransomware scene is undergoing a transformation – structurally, tactically, and strategically. The often pragmatic goal of maximum economic success alone ensures this. Companies are left with no choice but to broadly deploy their defenses, as the threat posed by ransomware has become unpredictable. Companies should not only focus on prevention, but also prepare for the day after. The ability to detect and defend against threats, as well as to restore compromised systems, remains essential for rapid action in the event of an attack.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de